Identification of cyber security breaches and attacks
Cyber security breaches and attacks remain a common threat. However, smaller organisations are identifying them less than last year. This may reflect that senior managers in smaller organisations view cyber security as less of a priority in the current economic climate than in previous years, so are undertaking less monitoring and logging of breaches or attacks.
- 32% of businesses and 24% of charities overall recall any breaches or attacks from the last 12 months. This is much higher for medium businesses (59%), large businesses (69%) and high-income charities with £500,000 or more in annual income (56%).
- This is a decrease from 39% of businesses and 30% of charities in 2022. The drop is driven by smaller organisations – the results for medium and large businesses, and high-income charities, remain at similar levels to last year.
- Among those identifying any breaches or attacks, we estimate that the single most disruptive breach from the last 12 months cost each business, of any size, an average of approximately £1,100. For medium and large businesses, this was approximately £4,960. For charities, it was approximately £530.
- The proportion of micro businesses saying cyber security is a high priority has decreased from 80% in 2022 to 68% this year. Qualitative evidence suggests that cyber security has dropped down the priority lists for these smaller organisations, relative to wider economic concerns like inflation and uncertainty.
The most common cyber threats are relatively unsophisticated, so government guidance advises businesses and charities to protect themselves using a set of “cyber hygiene” measures. A majority of businesses and charities have a broad range of these measures in place. The most common are updated malware protection, cloud back-ups, passwords, restricted admin rights and network firewalls – each administered by two-thirds or more of businesses and half or more charities. However, across the last three waves of the survey, some areas of cyber hygiene have seen consistent declines among businesses. This includes:
- use of password policies (79% in 2021, vs. 70% in 2023)
- use of network firewalls (78% in 2021 vs. 66% in 2023)
- restricting admin rights (75% in 2021, vs. 67% in 2023)
- policies to apply software security updates within 14 days (43% in 2021, vs. 31%
- in 2023).
These trends mainly reflect shifts in the micro business population and, to a lesser extent, small and medium businesses – large business results have not changed.
Risk management and supply chains
A larger proportion of businesses take actions to identify cyber risks than charities. Larger businesses are the most advanced in this regard. For the first time, the majority of large businesses are reviewing supply chain risks, although this is still relatively rare across organisations overall.
- Three in ten businesses have undertaken cyber security risk assessments (29%, vs. 27% of charities) in the last year – rising to 51% of medium businesses and 63% of large businesses.
- A similar proportion of businesses deployed security monitoring tools (30%, vs. 19% of charities) – rising to 53% of medium businesses and 72% of large businesses.
- Under four in ten businesses (37%) and a third of charities (33%) report being insured against cyber security risks – rising to 63% of medium businesses and 55% of large businesses (i.e. cyber insurance is more common in medium businesses than large ones).
- Just over one in ten businesses say they review the risks posed by their immediate suppliers (13%, vs. 11% of charities). More medium businesses (27%) and large businesses (55%) review immediate supplier risks. The latter result is up from 44% of large businesses in 2022.
- Qualitative data suggests that receiving messaging around supply chain risks from bodies such as the National Cyber Security Centre (NCSC), or having the topic raised in audits, helps encourage organisations to take action in this area.
Board engagement and corporate governance
Board engagement and corporate governance approaches towards cyber security tend to be more sophisticated in larger organisations, although corporate reporting of cyber risks remains relatively uncommon, even among large businesses.
- Three in ten businesses (30%) and charities (31%) have board members or trustees explicitly responsible for cyber security as part of their job role – rising to 41% of medium businesses and 53% of large businesses.
- 21% of medium businesses and 30% of large businesses have heard of the NCSC’s Board Toolkit (https://www.ncsc.gov.uk/collection/board-toolkit) – rising from 11% and 22% respectively in 2020 (when it was introduced).
- 49% of medium businesses, 68% of large businesses and 36% of high-income charities have a formal cyber security strategy in place. Qualitative data suggests the impetus to develop strategies can come from management board pressure, audits and business acquisition. It can also coincide with cyber teams
gaining operational independence, for example from IT departments.
- In the last year, 16% of corporate annual reports across medium businesses covered cyber risks, rising to 33% of the reports published by large businesses. Across charities (of all income groups), 9% of these reports covered cyber risks.
- Qualitative data shows a similar set of issues to previous years that prevent boards from engaging more in cyber security, including a lack of knowledge, training and time. It also highlights the importance of people in cyber roles being able to write persuasive business cases for cyber security spending, especially when they report directly to finance leads.
Cyber accreditations and following guidance
The proportion of organisations seeking external information or guidance on cyber security remains stable, at almost half. However, this means that a sizeable proportion of organisations, including larger organisations, continue to be unaware of government guidance such as the 10 Steps to Cyber Security (https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security), and the government-endorsed Cyber Essentials (https://www.cyberessentials.ncsc.gov.uk/) standard. Linked to this, relatively few organisations at present are adhering to recognised standards or accreditations, such as Cyber Essentials or ISO 27001.
- 49% of businesses and 44% of charities report seeking information or guidance on cyber security from outside their organisation in the past year, most commonly from external cyber security consultants, IT consultants or IT service providers.
- 14% of businesses and 19% of charities are aware of the 10 Steps guidance –rising to 32% of medium businesses and 44% of large businesses. Nevertheless, around two-fifths of businesses (37%) and three in ten charities (30%) have taken action on 5 or more of the 10 Steps. This is much more common in medium businesses (75%) and large businesses (89%). Just 2% of businesses and charities have enacted all 10 Steps, increasing to 7% of medium businesses and 20% of large businesses.
- 14% of businesses and 15% of charities are aware of the Cyber Essentials scheme – rising to 50% of medium businesses and 59% of large businesses.
- A total of 9% of businesses and 5% of charities report adhering to ISO 27001.
This is again higher among large businesses (27%).
- Qualitative findings suggest the desire to seek external accreditation can be because clients demand it. It can also be a convenient way for organisations to generate a standardised set of documentation on their cyber security standards, or to enforce or speed up a positive change in their staff culture.
While a large majority of organisations say that they will take several actions following a cyber incident, in reality a minority have agreed processes already in place to support this. This highlights an area for ongoing improvement for the study to continue monitoring next year.
- The most common processes, mentioned by between a quarter and two-fifths of businesses and charities, are having specific roles and responsibilities assigned to individuals, having guidance on external reporting, and guidance on internal reporting.
- Formal incident response plans are not widespread (21% of businesses and 16% of charities have them). This rises to 47% of medium-sized businesses, 64% of large businesses and 38% of high-income charities.
- Qualitative findings suggest another area for potential improvement is the relative disconnect between IT or specialist cyber teams and wider staff (including management boards) when it comes to incident response. Bridging this gap was felt to require good, regular communication between IT teams and wider staff. Post-incident reviews were also seen as a way to engage wider staff in cyber security.
Some cyber security breaches and attacks do not constitute cyber crimes under the Computer Misuse Act 1990 (https://www.legislation.gov.uk/ukpga/1990/18/contents) and the Home Office Counting Rules (https://www.gov.uk/government/publications/counting-rules-for-recorded-crime). New questions were added this year to establish the extent to which the breaches or attacks that organisations experience could be defined as cyber crimes committed against them, using the principles in the Home Office Counting Rules. Further new questions explored the extent of fraud that occurred as a result of cyber crime. More detail about definitions of cyber crime and the rationale for expanding the survey in this way can be found in Chapter 6.
As this is the first year these questions have been asked and there is no baseline for comparison, users should be relatively cautious when interpreting these statistics.
The findings show that cyber crime is more prevalent among larger organisations, although this may be a sign of underreporting among smaller organisations.
- A total of 11% of businesses and 8% of charities have experienced cyber crime in the last 12 months, rising to 26% of medium businesses, 37% of large businesses and 25% of high-income charities. Looked at another way, among the 32% businesses and 24% of charities identifying any cyber security breaches or attacks, around a third (34% for businesses and 32% for charities) ended up being victims of cyber crime.
- Separately, a total of 3% of businesses and 1% of charities have been victims of fraud as a result of cyber crime. This accounts for 9% of the businesses and 6% of the charities that identify any cyber security breaches or attacks.
- We estimate that, across all UK businesses, there were approximately 2.39 million instances of cyber crime and approximately 49,000 instances of fraud as a result of cyber crime in the last 12 months. Across charities, there were approximately 785,000 cyber crimes over this period. The sample sizes do not allow us to estimate the scale of fraud resulting from cyber crime across charities. It should be noted that these estimates of scale will have a relatively wide margin of error.
- The average (mean) annual cost of cyber crime for businesses is estimated at approximately £15,300 per victim. The sample sizes do not allow this cost calculation for charities.